_private/qwestly-docs/Policies/SLA Summary.md

Table of Contents

Qwestly SLA & Compliance Timeframes Summary

This document summarizes all key service level agreements (SLAs), compliance deadlines, and operational timeframes required by Qwestly's policies.

Incident Response & Breach Notification

Action/Severity Timeframe Source Policy
Initial containment/assessment 0–1 hour Incident Response, InfoSec Roles
Business response/notification 1–4 hours Incident Response, InfoSec Roles
Regulatory notification Within 72 hours Data Management, Incident Response
Individual notification Within 30 days Data Management
Remediation (Critical/P0) 7 days Incident Response
Remediation (High/P1) 14 days Incident Response
Remediation (Med/Low) 90 days Incident Response

Access Management & Offboarding

Action Timeframe Source Policy
Access termination Within 24 business hours Access Control, Asset Mgmt, HR Sec
Emergency access expiry 72 hours Access Control
Quarterly access review Quarterly Access Control, InfoSec Roles

Data Subject Rights (GDPR/CCPA)

Action Timeframe Source Policy
Data access/export Within 30 days Data Management
Data correction Prompt/self-service Data Management
Data deletion Within 30 days Data Management, Deletion Checklist
Data portability Within 30 days Data Management

Data Retention & Disposal

Data Type Retention Period Source Policy
Active profiles While active Data Management
Inactive profiles 3 years Data Management
Interview data 3 years Data Management
Anonymous usage Up to 3 years Data Management
Financial data 7 years Data Management
Background checks 2 years or by law Data Management
AI training (anonymized) 7 years Data Management
Consent records 10 years Data Management
Secure deletion After retention period Data Management, Asset Mgmt

Security Training

Action Timeframe Source Policy
Onboarding training Within 5 business days InfoSec Roles, HR Security
Annual security training Annually InfoSec, HR Security, InfoSec Roles
Phishing simulation Quarterly InfoSec Roles
Incident response tabletop Semi-annual InfoSec Roles

Vendor Management

Action Timeframe Source Policy
Critical vendor review Monthly Third-Party Mgmt
Important vendor review Quarterly Third-Party Mgmt
Comprehensive vendor review Annually Third-Party Mgmt
Vendor incident notification Within 24 hours Third-Party Mgmt

Backup & Recovery

Action Timeframe Source Policy
Critical system recovery Within 4 hours Operations Security
Data loss limitation Max 1 hour Operations Security
Backup restoration testing Quarterly Operations Security, BC/DR
Disaster recovery test Annually BC/DR

Vulnerability Management

Action Timeframe Source Policy
Critical patch application Within 7 days Operations Security
Vulnerability remediation 72 hours (critical), 7d (high) InfoSec Roles

Policy Review

Action Timeframe Source Policy
Minor/metrics review Quarterly InfoSec Roles, Operations Security
Comprehensive review Annually InfoSec Roles, Physical Security
Triggered review After incident/reg change InfoSec Roles

Other Notable SLAs

Action Timeframe Source Policy
Lost/stolen device reporting Immediate (≤4 hours) Asset Mgmt, Physical Security
Incident documentation Within 24 hours Asset Mgmt, Operations Security
Emergency access documentation Within 24 hours Access Control
Security awareness updates Ongoing HR Security, InfoSec Roles

No contradictions were found in the reviewed policies. All SLAs and timeframes are consistent and compatible.